SoapClient feature: Helper function to signed SOAP messages

[jahyvari]

Usage:

$client = new SoapClient("my.wsdl");

$client->__setWSS(array(                                    // New function to SoapClient: __setWSS
    "digest_method"     => SOAP_WSS_DIGEST_METHOD_SHA256,   // New constants: SOAP_WSS_DIGEST_METHOD_SHA1, SOAP_WSS_DIGEST_METHOD_SHA256 & SOAP_WSS_DIGEST_METHOD_SHA512
    "wss_version"       => SOAP_WSS_VERSION_1_1,            // New constants: SOAP_WSS_VERSION_1_0 & SOAP_WSS_VERSION_1_1
    "add_timestamp"     => true,
    "timestamp_expires" => 300,
    "x509_binsectoken"  => file_get_contents("cert.der"),
    "signfunc"          => function($data) {
        $signature = "";
        openssl_sign(
            $data,
            $signature,
            openssl_pkey_get_private("file://priv.key"),
            OPENSSL_ALGO_SHA1
        );
        return $signature;
    }
));

$client->testFunction(array(
    "Param1" => "foo",
    "Param2" => "bar"
));

Generated SOAP message:

<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope" xmlns:ns1="http://localhost/" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <env:Header>
        
        <!-- Generated WSS header -->
        
        <wsse11:Security env:mustUnderstand="true">
            <wsu:Timestamp wsu:Id="TimestampID-1">
                <wsu:Created>2022-01-01T00:00:00Z</wsu:Created>
                <wsu:Expires>2022-01-01T00:05:00Z</wsu:Expires>
            </wsu:Timestamp>
            <wsse11:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="TokenID-1">...</wsse11:BinarySecurityToken>
            <ds:Signature>
                <ds:SignedInfo>
                    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                    <ds:Reference URI="#TimestampID-1">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                        <ds:DigestValue>...</ds:DigestValue>
                    </ds:Reference>
                    <ds:Reference URI="#BodyID-1">
                        <ds:Transforms>
                            <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                        <ds:DigestValue>...</ds:DigestValue>
                    </ds:Reference>
                </ds:SignedInfo>
                <ds:SignatureValue>...</ds:SignatureValue>
                <ds:KeyInfo>
                    <wsse11:SecurityTokenReference>
                        <wsse11:Reference URI="#TokenID-1" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
                    </wsse11:SecurityTokenReference>
                </ds:KeyInfo>
            </ds:Signature>
        </wsse11:Security>
        
        <!-- Header end -->
        
    </env:Header>
    <env:Body wsu:Id="BodyID-1">
        <ns1:testFunctionIn>
            <ns1:Param1>foo</ns1:Param1>
            <ns1:Param2>bar</ns1:Param2>
        </ns1:testFunctionIn>
    </env:Body>
</env:Envelope>

WSS specifications:

https://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf
https://www.oasis-open.org/committees/download.php/16790/wss-v1.1-spec-os-SOAPMessageSecurity.pdf

[cmb69]

Apparently, this PR breaks the Windows build of ext/soap. Can you please have a look?

[jahyvari]

The error seems to be:

error LNK2019: unresolved external symbol __imp_xmlOutputBufferGetContent
error LNK2019: unresolved external symbol __imp_xmlOutputBufferGetSize

I was able to fix this issue with my local Windows build by adding a following to config.w32 file:

} else {
    if (!CHECK_LIB('libxml2.lib', 'soap')) {
        WARNING("soap support can't be enabled, libxml is not found");
    }
}

Unfortunately I'm not that familiar with PHPs Windows build system, so I can't say was that the best possible solution.

[cmb69]

I was able to fix this issue with my local Windows build by adding a following to config.w32 file:

Ah, I see, thanks! I think instead of that, the missing functions should be declared in php_libxml2.def.

[jahyvari]

Thanks! I added missing declarations to php_libxml2.def and removed CHECK_LIB from w32.

[vaclavvanik]

Hi Jahyvari,

+1 for WSS support. I think __setWSS does two things.

a) it creates SOAP header
b) it injects SOAP header to SOAP message

Imho I would create factory method which creates WSS SOAP header. Returned header could be used in __soapCall.

$client = new SoapClient("my.wsdl");

$wssSoapHeader = $client->__createSoapWssHeader(array(      // New function to SoapClient: reateSoapWssHeader
    "digest_method"     => SOAP_WSS_DIGEST_METHOD_SHA256,   // New constants: SOAP_WSS_DIGEST_METHOD_SHA1, SOAP_WSS_DIGEST_METHOD_SHA256 & SOAP_WSS_DIGEST_METHOD_SHA512
    "wss_version"       => SOAP_WSS_VERSION_1_1,            // New constants: SOAP_WSS_VERSION_1_0 & SOAP_WSS_VERSION_1_1
    "add_timestamp"     => true,
    "timestamp_expires" => 300,
    "x509_binsectoken"  => file_get_contents("cert.der"),
    "signfunc"          => function($data) {
        $signature = "";
        openssl_sign(
            $data,
            $signature,
            openssl_pkey_get_private("file://priv.key"),
            OPENSSL_ALGO_SHA1
        );
        return $signature;
    }
));


$client->__soapCall("SomeFunction", [$a, $b, $c], null, $wssSoapHeader);

For direct soap method call

$client->testFunction(array(
    "Param1" => "foo",
    "Param2" => "bar"
));

which require wss header existing __setSoapHeaders method could be used. If I am not wrong.

[jahyvari]

which require wss header existing __setSoapHeaders method could be used. If I am not wrong.

Hi, thanks for feedback! __setSoapHeaders can be used for static WSS headers (plain username and password). But when there is a need for signed SOAP messages, then the signature varies between SOAP calls because it is calculated from SOAP Body (and timestamp if used). And therefore signature can be injected/calculated only after the SOAP Body has been constructed.

[vaclavvanik]

Thanks for response and clarification. I am not familiar with WSS.

[DemiMarie]

If I may make a request: would it be possible for the final output to be canonicalized XML with no comments, to make life a bit easier on consumers?

[jahyvari]

If I may make a request: would it be possible for the final output to be canonicalized XML with no comments, to make life a bit easier on consumers?

The example output above was manually pretty printed and commented for clarity purposes. Actual output format is the same as before = minified XML without comments.

[github-actions]

There has not been any recent activity in this PR. It will automatically be closed in 7 days if no further action is taken.

[jahyvari]

There has not been any recent activity in this PR. It will automatically be closed in 7 days if no further action is taken.

Hi. Is there anything else what I should do for this PR, or could this go to be Reviewed?

[bukka]

Apology for this not getting any review. I noticed this issue yesterday when going through 8.2 milestone and needed to look to some other things as well. I had a quick look but unfortunately it's too big to get properly reviewed for PHP 8.2 at this time (feature freeze is end of today).

I will try to look more to the SOAP issues as the extension has been quite neglected. I will do my best to get this at least to 8.3. If you could rebase it in the meantime and get the pipeline green, that would be great.

[jahyvari]

Apology for this not getting any review. I noticed this issue yesterday when going through 8.2 milestone and needed to look to some other things as well. I had a quick look but unfortunately it's too big to get properly reviewed for PHP 8.2 at this time (feature freeze is end of today).

I will try to look more to the SOAP issues as the extension has been quite neglected. I will do my best to get this at least to 8.3. If you could rebase it in the meantime and get the pipeline green, that would be great.

Hi. Thanks for getting back to this. I rebased the PR.

[DemiMarie]

Suggested change

	case SOAP_WSS_DIGEST_METHOD_SHA1:
	algo = zend_string_init("sha1", strlen("sha1"), 0);
	ops = php_hash_fetch_ops(algo);
	xmlSetProp(reference_dm, BAD_CAST("Algorithm"), BAD_CAST(SOAP_WSS_SHA1));
	break;

SHA1 ought to be dead. Let’s not add another use of it.

[bukka]

It might be needed for legacy servers so I would keep it - there's not such a big harm in it.

[DemiMarie]

Can this fail?

[DemiMarie]

Ditto

[DemiMarie]

This should throw an exception.

[DemiMarie]

Ditto.

[DemiMarie]

Can this fail (e.g. with out of memory)?

[DemiMarie]

This should throw.

[bukka]

I think we want to keep it consistent and the extension mainly uses warnings from the quick look so I would keep it that way. The algorithm above could be exception but this is failure so it might be better to be a warning for consistency.

[DemiMarie]

The problem is that unless one sets an error handler, there is no way to know what happened.

[jahyvari]

SOAP extension seem to use E_ERROR's, E_WARNING's & SoapFault object to signal error events. So maybe some of these new warnings ("invalid hashing algorithm" & "unknown hashing algorithm") could be E_ERROR's instead and this one maybe a SoapFault?

[DemiMarie]

E_ERROR and E_WARNING are bad. No idea about SoapFault.

[DemiMarie]

Can any of the xml* calls fail due to out of memory?

[jahyvari]

Possibly if the libxml handles everything in memory, but then the same goes for the rest of the SOAP extension where xml* calls are used.

[DemiMarie]

SHA-1 should not be supported.

[vaclavvanik]

Hello Jahyvari,
as I wrote before I am not familiar with WSS.

I have few suggestions.

Your proposal is add __setWss method with plenty of params.
It is unclear which params are required. Which values should be passed and so on.

What about create a class eg.

class WssSigner
{
   //...
   //...
    public function __construct(
        string $digestMethod,
        string $wssVersion,
        bool $addTimestamp,
        int $expires,
        string x509BinSecToken,
        callable $callback
    ) {
       //...
    }

    // I am not sure about in/out typehints
    public function sign(string $request): string
    {
       //...
    }
}

and then pass the instance into soapClient:

$signer = new WssSigner(
    SOAP_WSS_DIGEST_METHOD_SHA256,
    SOAP_WSS_VERSION_1_1,
    true,
    300,
    file_get_contents("cert.der"),
    function($data) {
        $signature = "";
        openssl_sign(
            $data,
            $signature,
            openssl_pkey_get_private("file://priv.key"),
            OPENSSL_ALGO_SHA1
        );
        return $signature;
    }
);

$client = new SoapClient("my.wsdl");
$client->__setWSS($signer);

If WssSigner was very variable on input params than I would create WssSigner interface with concrete implementations.

I think my proposal has much better type hinting and as bonus it could be used standalone.

[jahyvari]

What about create a class eg.

Yep, I agree. That could be better for the type hinting. I think that I based the current function signature to SoapClient's constructor which takes the options as an array.